Hackers could be lurking behind the office coffee pot
Professor Máire O’Neill, a leading cryptography expert, has long been at CSIT and is now heading up the new Research Institute in […]
July 5, 2018
Professor Máire O’Neill, a leading cryptography expert, has long been at CSIT and is now heading up the new Research Institute in Secure Hardware and Embedded Systems (RISE).
“The institute involves research projects from different universities – Queen’s, Cambridge, Birmingham and Bristol – four leading universities in cyber security research,” she says.
Statistics show that CSIT helped create 1,200 jobs in cyber security in Belfast in the timespan 2009-2017.
What kind of research are you undertaking in the area of Smart Cities?
Máire says, “Hardware security is becoming a key area in cyber security, with the growth of IoT.”
She explains, “It’s easier to secure the hardware than the software – although you need both, a hardware root of trust can provide the inherent security necessary for IoT devices.”
Máire discusses how the IoT is essentially a three-tiered stack that begins with devices, moves up to the communications layer between those devices, and at the top, the data storage at the back-end.
“Security is needed in all layers. If you secure the devices, that’s a good starting point in fundamentally securing the whole IoT system.”
What’s cutting-edge in this?
“One new area is homomorphic encryption – this allows you to perform operations on encrypted data, without decrypting it. So you can do big data analysis on encrypted data instead of needing it to be decrypted back to plain text,” she says.
Historically this area of cyber security hasn’t been practical because of the vast computational resources it requires, making any operation too slow to be useful.
But Máire says that “theoretical breakthroughs” are needed, and that it would “be a game changer for cloud security if we can achieve practical fully homomorphic encryption.”
Are the stakes higher for attacks on Smart Cities – do hackers have more to gain?
“I don’t know if you’ll have a city where absolutely everything is connected. More realistic is a series of smart connected infrastructures. That makes it more secure than a situation where everything is in one network,” explains Máire. “As you increase the surface of connectivity, that increases the attack surface.”
Where are the areas of concern?
“Mundane objects can be used as a point of attack. As example, the office coffee pot, connected to the office WiFi, can be used as a point of entry for hackers,” she says.
Is every connected device a point of vulnerability?
“Anything that’s connected, so for instance, Smart TVs, smart video conferencing units – if it’s connected to the IoT it’s vulnerable.”
Are these devices coming off the shelf without any security?
She says, “Security is an afterthought or not even considered at all, in the race to market. A key aim of RISE is to educate the world about this.”
And in the home?
“The interactive Kayla doll has become infamous for having zero security features. It’s an interactive toy for kids, and YouTube demos show that you can easily break into the doll, and talk to children.”
“Children’s toys were on Tech Republic’s list of Least Secure Connected Devices, released in February 2018.”
If you knew an 18 year old who was interested in Smart Cities, what career path or academic degree would you advise?
“Security analytics would be a great career path right now, as there is demand from industry for this skillset. This involves the application of analytic tools for security monitoring and threat detection,” says Máire.
“One example is using deep learning approaches for mobile malware detection – and to uncover vulnerabilities in websites.”
She continues, “For Smart Cities to flourish, security needs to be built in from the outset. Novel wireless approaches are needed, analytics and big data (and video surveillance would be in that group as well) – those are the lack of skillsets that companies are pointing to.”
Is a Smart city inherently a surveillance city?
“It could be, but it depends on how you deal with privacy issues. For example, in previous research we looked at video security, which would allow a scene to be monitored while ensuring faces are blurred – this is called selective encryption. One interesting area is when you combine selective encryption approaches in video, with trying to track anomalous activity – something that’s out of the ordinary – such as a bag left on a bus.”
“There is always a trade-off between the benefits of these advanced technologies, and what you may lose in terms of privacy.”